Information Security Tips Series
Digital Certificate (2)
Application Security
Other than applying personal certificates for sending secure emails on Internet, computer users and organisations can apply various types of digital certificates and certificate-based security measures for electronic communication.
A variety of software is available on Internet, using digital certificates issued by third-party Certification Authority (CA) for digital signing and encryption of documents. However, software compatibility is always a challenge. Bear in mind that the parties communicating with signed or encrypted documents apply the same or compatible version of the software. Otherwise, previously signed or encrypted documents may not be read again.
Organisations, associations or government departments can issue an organisation-based certificate (Organisation Certificate) to their members or employees to conduct secure message or e-mail transmission. The both names of the organisation and employee or member are embedded into the certificate. To ensure no violation of the need-to-use base, immediate certificate revocation has to be taken whenever the certificate holder is no longer member or employee or required to discharge duty by using the certificate.
Organisation can build trust with customers about privacy for personal data collection and confidence on online transactions by securing its website with Secure Socket Layer (SSL) Certificate (Server Certificate). Users or customers can identify some characteristics on a secure website or specific web pages whether the personal information being input is securely protected, such as:
- A “padlock” icon on the status bar of the website. Clicking on the padlock will cause the details and validity of the server’s certificate to be displayed.
- The website address bar will show “https” instead of “http” such as https://www.website.com; The “s” means “secure” transmission of webpage and corresponding data through Internet being encrypted.
- The homepage or specific web pages will display a site seal (an icon), which is a value-added service with Server Certificate. Users can click the site seal to check the website owner information to verify the website’s authenticity. The feedback information for this “click” is at a real-time base from CA that issued the Server Certificate.
- The organisation’s own privacy policy and TRUSTe icon (an international privacy programme) are available on the website for users to review.
Today, the explosion of consumer application for mobile and desktop devices and the proliferation of malware are substantial. Software publishers and mobile network providers increasingly require programme code of applications signing from a trusted CA before accepting code for distribution. By using Code Signing Certificate (Code Signer) to add a digital signature to the programme code of applications, this can verify developers or publisher identity and content integrity. Users can then trust their applications being downloaded from Internet in an “un-tampered” format on receipt.
